[PHP-DB] Re: Stuck in apostrophe hell
OK, I figured it out. I followed the advice here to turn on MySQL logging (which took more doing that it should have), so I could see what's really being sent to MySQL. It wasn't choking on the query I posted in my message but a later one in which the string was not escaped. The red herring that led me astray was the line no. indicated in the error message that pointed to the query I posted (or at least seemed to). Anyway, thanks for the tips that got me pointed in the right direction. Paul Paul S. Johnson
RE: [PHP-DB] Re: Stuck in apostrophe hell
> -Original Message- > From: Simcha Younger [mailto:sim...@syounger.com] > Sent: 04 August 2010 08:19 > > > paul_s_john...@mnb.uscourts.gov wrote: > > > > > > > THE INPUT: > > > > > > $sql_insert_registration = sprintf("INSERT INTO > > > Registrations ( > > > Class_ID, > > > prid, > > > Registrant, > > > Company, > > > Phone, > > > Email > > > ) > > > VALUES ( > > > $_POST[Class_ID], > > > $_POST[prid], > > > '%s',". > > You need double-quotes here, > \"%s\", No, he doesn't. Single quotes are fine. Doubles would more than likely be a SQL error. > > > parseNull($_POST['Company']).", > > > '$_POST[Phone]', > > > '$_POST[Email]' > > > )", mysql_real_escape_string($_POST['Registrant'])); > > > > > > -- > Simcha Younger Cheers! Mike -- Mike Ford, Electronic Information Developer, Libraries and Learning Innovation, Leeds Metropolitan University, C507 City Campus, Woodhouse Lane, LEEDS, LS1 3HE, United Kingdom Email: m.f...@leedsmet.ac.uk Tel: +44 113 812 4730 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: Stuck in apostrophe hell
> paul_s_john...@mnb.uscourts.gov wrote: > > > > THE INPUT: > > > > $sql_insert_registration = sprintf("INSERT INTO > > Registrations ( > > Class_ID, > > prid, > > Registrant, > > Company, > > Phone, > > Email > > ) > > VALUES ( > > $_POST[Class_ID], > > $_POST[prid], > > '%s',". You need double-quotes here, \"%s\", > > parseNull($_POST['Company']).", > > '$_POST[Phone]', > > '$_POST[Email]' > > )", mysql_real_escape_string($_POST['Registrant'])); > > -- Simcha Younger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: Stuck in apostrophe hell
paul_s_john...@mnb.uscourts.gov wrote: > Yes, I may have mixed up the input and output from different iterations of > running it. Let me try posting this again although it may not be an issue. > Once again if I enter two sequential apostrophes in the name (O''Brien) > the INSERT passes right through to MySQL without an error. > > THE INPUT: > > $sql_insert_registration = sprintf("INSERT INTO > Registrations ( > Class_ID, > prid, > Registrant, > Company, > Phone, > Email > ) > VALUES ( > $_POST[Class_ID], > $_POST[prid], > '%s',". > parseNull($_POST['Company']).", > '$_POST[Phone]', > '$_POST[Email]' > )", mysql_real_escape_string($_POST['Registrant'])); > > echo "$_POST['Registrant".$_POST["Registrant"].""; > echo "".mysql_real_escape_string($_POST["Registrant"]).""; > echo "".$sql_insert_registration.""; > > > THE OUTPUT: > > Brian O'Brien > Brian O\'Brien > INSERT INTO > Registrations ( > Class_ID, > prid, > Registrant, > Company, > Phone, > Email > ) > VALUES ( > 355, > 257, > 'Brian O\'Brien',NULL, > '612-456-5678', > 'someb...@somewhere.org' > ) > Error: You have an error in your SQL syntax; check the manual that > corresponds to your MySQL server version for the right syntax to use near > 'Brien', 'Class registration confirmation', ' This email ' at line 16 > > > Paul S. Johnson > U.S. Bankruptcy Court > District of Minnesota > paul_s_john...@mnb.uscourts.gov > 612-664-5276 Check the settings for magic-quotes, and make sure you aren't using stripslashes somewhere? Also, echo the actual query that is being passed to mysql to check what is happening. Cheers -- David Robley Life is Roff when yer Stewpid Today is Sweetmorn, the 70th day of Confusion in the YOLD 3176. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: Stuck in apostrophe hell
On Aug 3, 2010, at 5:44 PM, Chris wrote: On 03/08/10 23:04, paul_s_john...@mnb.uscourts.gov wrote: Yes, I may have mixed up the input and output from different iterations of running it. Let me try posting this again although it may not be an issue. Once again if I enter two sequential apostrophes in the name (O''Brien) the INSERT passes right through to MySQL without an error. THE INPUT: $sql_insert_registration = sprintf("INSERT INTO Registrations ( Class_ID, prid, Registrant, Company, Phone, Email ) VALUES ( $_POST[Class_ID], ^^ needs a mysql_real_escape_string or validation to make sure it's an integer $_POST[prid], ^^ needs a mysql_real_escape_string or validation to make sure it's an integer '%s',". ^^ has a mysql_real_escape_string, but it's the only one. parseNull($_POST['Company']).", Without knowing what this function does, it's hard to say what this needs. '$_POST[Phone]', ^^ needs a mysql_real_escape_string '$_POST[Email]' ^^ needs a mysql_real_escape_string )", mysql_real_escape_string($_POST['Registrant'])); This has already all been pointed out previously. -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php didnt see this post, was in my spam folder Karl DeSaulniers Design Drumm http://designdrumm.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: Stuck in apostrophe hell
On Aug 3, 2010, at 8:08 AM, Peter Lind wrote: On 3 August 2010 15:04, wrote: Yes, I may have mixed up the input and output from different iterations of running it. Let me try posting this again although it may not be an issue. Once again if I enter two sequential apostrophes in the name (O''Brien) the INSERT passes right through to MySQL without an error. THE INPUT: $sql_insert_registration = sprintf("INSERT INTO Registrations ( Class_ID, prid, Registrant, Company, Phone, Email ) VALUES ( $_POST[Class_ID], $_POST[prid], '%s',". parseNull($_POST['Company']).", '$_POST[Phone]', '$_POST[Email]' )", mysql_real_escape_string($_POST['Registrant'])); echo "$_POST['Registrant".$_POST["Registrant"].""; echo "".mysql_real_escape_string($_POST["Registrant"]).""; echo "".$sql_insert_registration.""; THE OUTPUT: Brian O'Brien Brian O\'Brien INSERT INTO Registrations ( Class_ID, prid, Registrant, Company, Phone, Email ) VALUES ( 355, 257, 'Brian O\'Brien',NULL, '612-456-5678', 'someb...@somewhere.org' ) Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Brien', 'Class registration confirmation', ' This email ' at line 16 Strangely, you have still failed to provide the input that is actually sent to mysql. Look at the error code: "... for the right syntax to use near 'Brien', 'Class registration confirmation', ' This email '" - "Class registration confirmation" does not appear anywhere in the output section you posted but it appears in the mysql error. I'd do as Bret suggested and turn on query logging in mysql to see what is actually received. Regards Peter -- WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Can't you just.. VALUES = mysql_real_escape(VALUES); before submitting or something similar? maybe urlencode Karl DeSaulniers Design Drumm http://designdrumm.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: Stuck in apostrophe hell
On 03/08/10 23:04, paul_s_john...@mnb.uscourts.gov wrote: Yes, I may have mixed up the input and output from different iterations of running it. Let me try posting this again although it may not be an issue. Once again if I enter two sequential apostrophes in the name (O''Brien) the INSERT passes right through to MySQL without an error. THE INPUT: $sql_insert_registration = sprintf("INSERT INTO Registrations ( Class_ID, prid, Registrant, Company, Phone, Email ) VALUES ( $_POST[Class_ID], ^^ needs a mysql_real_escape_string or validation to make sure it's an integer $_POST[prid], ^^ needs a mysql_real_escape_string or validation to make sure it's an integer '%s',". ^^ has a mysql_real_escape_string, but it's the only one. parseNull($_POST['Company']).", Without knowing what this function does, it's hard to say what this needs. '$_POST[Phone]', ^^ needs a mysql_real_escape_string '$_POST[Email]' ^^ needs a mysql_real_escape_string )", mysql_real_escape_string($_POST['Registrant'])); This has already all been pointed out previously. -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: Stuck in apostrophe hell
On 3 August 2010 15:04, wrote: > Yes, I may have mixed up the input and output from different iterations of > running it. Let me try posting this again although it may not be an issue. > Once again if I enter two sequential apostrophes in the name (O''Brien) > the INSERT passes right through to MySQL without an error. > > THE INPUT: > > $sql_insert_registration = sprintf("INSERT INTO > Registrations ( > Class_ID, > prid, > Registrant, > Company, > Phone, > Email > ) > VALUES ( > $_POST[Class_ID], > $_POST[prid], > '%s',". > parseNull($_POST['Company']).", > '$_POST[Phone]', > '$_POST[Email]' > )", mysql_real_escape_string($_POST['Registrant'])); > > echo "$_POST['Registrant".$_POST["Registrant"].""; > echo "".mysql_real_escape_string($_POST["Registrant"]).""; > echo "".$sql_insert_registration.""; > > > THE OUTPUT: > > Brian O'Brien > Brian O\'Brien > INSERT INTO > Registrations ( > Class_ID, > prid, > Registrant, > Company, > Phone, > Email > ) > VALUES ( > 355, > 257, > 'Brian O\'Brien',NULL, > '612-456-5678', > 'someb...@somewhere.org' > ) > Error: You have an error in your SQL syntax; check the manual that > corresponds to your MySQL server version for the right syntax to use near > 'Brien', 'Class registration confirmation', ' This email ' at line 16 > Strangely, you have still failed to provide the input that is actually sent to mysql. Look at the error code: "... for the right syntax to use near 'Brien', 'Class registration confirmation', ' This email '" - "Class registration confirmation" does not appear anywhere in the output section you posted but it appears in the mysql error. I'd do as Bret suggested and turn on query logging in mysql to see what is actually received. Regards Peter -- WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: Stuck in apostrophe hell
Yes, I may have mixed up the input and output from different iterations of running it. Let me try posting this again although it may not be an issue. Once again if I enter two sequential apostrophes in the name (O''Brien) the INSERT passes right through to MySQL without an error. THE INPUT: $sql_insert_registration = sprintf("INSERT INTO Registrations ( Class_ID, prid, Registrant, Company, Phone, Email ) VALUES ( $_POST[Class_ID], $_POST[prid], '%s',". parseNull($_POST['Company']).", '$_POST[Phone]', '$_POST[Email]' )", mysql_real_escape_string($_POST['Registrant'])); echo "$_POST['Registrant".$_POST["Registrant"].""; echo "".mysql_real_escape_string($_POST["Registrant"]).""; echo "".$sql_insert_registration.""; THE OUTPUT: Brian O'Brien Brian O\'Brien INSERT INTO Registrations ( Class_ID, prid, Registrant, Company, Phone, Email ) VALUES ( 355, 257, 'Brian O\'Brien',NULL, '612-456-5678', 'someb...@somewhere.org' ) Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Brien', 'Class registration confirmation', ' This email ' at line 16 Paul S. Johnson U.S. Bankruptcy Court District of Minnesota paul_s_john...@mnb.uscourts.gov 612-664-5276